Bug #23178

Wrong HTTP headers sent when trying to access pages that require login

Added by Ingo Renner over 9 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Link Handling, Site Handling & Routing
Target version:
-
Start date:
2010-07-14
Due date:
% Done:

100%

TYPO3 Version:
4.4
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
No
Sprint Focus:
On Location Sprint

Description

When trying to access a login protected page while not being logged in it may happen that a wrong header is sent.
The install tool allows to set a header for the page not found handling: [FE][pageNotFound_handling_statheader]
The default value for this setting is "HTTP/1.0 404 Not Found"
In a case where access is denied because the user is not logged in, this is the wrong header of course, it should be 401 instead.

Proposed solution: In case where access is denied because of missing privileges, TYPO3 should ignore the mentioned setting and send a 401 instead.

(issue imported from #M15114)

15114.diff View (957 Bytes) Administrator Admin, 2010-07-15 15:57


Related issues

Related to TYPO3 Core - Bug #16472: Non accessible Page And PageNotFound Handler. Closed 2006-08-15
Related to TYPO3 Core - Bug #58728: Regression: unaccessible protected section with shortcut in rootline Closed 2014-05-12
Related to TYPO3 Core - Bug #86346: Hidden pages sent 403 Header New 2018-09-21
Duplicated by TYPO3 Core - Feature #51088: Improve Frontend error handling Closed 2013-08-15

Associated revisions

Revision 2ba1bc31 (diff)
Added by Markus Klein almost 2 years ago

[BUGFIX] Set correct HTTP header when page access is denied

Accessing an existing page with insufficient permissions should
not set a 404 header but a 403 header.

Resolves: #23178
Releases: master, 8.7
Change-Id: I2470434f7600b28eaa613ee4e1669e78ceaaaec3
Reviewed-on: https://review.typo3.org/54495
Tested-by: TYPO3com <>
Reviewed-by: Georg Ringer <>
Tested-by: Georg Ringer <>
Reviewed-by: Susanne Moog <>
Tested-by: Susanne Moog <>

Revision bb39b226 (diff)
Added by Markus Klein almost 2 years ago

[BUGFIX] Set correct HTTP header when page access is denied

Accessing an existing page with insufficient permissions should
not set a 404 header but a 403 header.

Resolves: #23178
Releases: master, 8.7
Change-Id: I2470434f7600b28eaa613ee4e1669e78ceaaaec3
Reviewed-on: https://review.typo3.org/54814
Tested-by: TYPO3com <>
Reviewed-by: Markus Klein <>
Tested-by: Markus Klein <>

History

#1 Updated by Ingo Renner over 9 years ago

The solution for this issue may result in being able to remove the $TYPO3_CONF_VARS['FE']['pageNotFound_handling_statheader'] option if we are always sending the correct headers.

Need to check whether there are more places where this option is used...

#2 Updated by Dmitry Dulepov over 9 years ago

TYPO3 treats such cases as "not found", not as "access denied". I am not sure why but it is historical (since 3.x I think). It makes sense from security point of view because "access denied" tells that something is there but "page not found" does not reveal that protected content exists. This is called "security by obscurity".

#3 Updated by Hassan Ait about 9 years ago

Thanks Ingo, I've just tested your fix and it works fine for me (TYPO3 Version: 4.3). What about the fact to add a different page error for unauthorized pages. I made a test with the following code and it works for me. It supposes to add a new parameter [FE][pageUnauthorized_handling]

Index: typo3/sysext/cms/tslib/class.tslib_fe.php

function pageNotFoundAndExit($reason='', $header='') {
$header = $header ? $header : $this->TYPO3_CONF_VARS['FE']['pageNotFound_handling_statheader'];
if ($this->pageNotFound === 1 || $this->pageNotFound === 2) {
$code=($this->TYPO3_CONF_VARS['FE']['pageUnauthorized_handling']) ? $this->TYPO3_CONF_VARS['FE']['pageUnauthorized_handling'] : $this->TYPO3_CONF_VARS['FE']['pageNotFound_handling'];
}
else {
$code=$this->TYPO3_CONF_VARS['FE']['pageNotFound_handling'];
}
$this->pageNotFoundHandler($code, $header, $reason);
exit;
}

#4 Updated by Ingo Renner over 7 years ago

  • Category deleted (Communication)
  • Assignee set to Ingo Renner
  • Target version deleted (0)

#5 Updated by Gerrit Code Review over 7 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281

#6 Updated by Gerrit Code Review over 7 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281

#7 Updated by Ingo Renner over 7 years ago

  • Target version set to 6.0.0

#8 Updated by Gerrit Code Review over 7 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281

#9 Updated by Gerrit Code Review over 7 years ago

Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281

#10 Updated by Gerrit Code Review about 6 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/10281

#11 Updated by Christian Kuhn almost 5 years ago

  • Status changed from Under Review to New
  • Is Regression set to No

The pending patch was abandoned after some discussion.

The solution should be different and needs a new approach. Some hints on how this could be solved are given in the abandoned patch for anyone who wants to pick this issue up again and re-push a new solution.

#12 Updated by Mathias Schreiber almost 4 years ago

  • Target version deleted (6.0.0)

#13 Updated by Susanne Moog almost 2 years ago

  • Category set to Link Handling, Site Handling & Routing
  • Assignee deleted (Ingo Renner)

#14 Updated by Markus Klein almost 2 years ago

This must be a 403 header. 401 must only be used together with http-authentication header, not custom authentication within PHP.

#15 Updated by Gerrit Code Review almost 2 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54495

#16 Updated by Gerrit Code Review almost 2 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54495

#17 Updated by Benni Mack almost 2 years ago

  • Sprint Focus set to On Location Sprint

#18 Updated by Gerrit Code Review almost 2 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54495

#19 Updated by Markus Klein almost 2 years ago

  • Assignee set to Markus Klein

#20 Updated by Gerrit Code Review almost 2 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814

#21 Updated by Markus Klein almost 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#22 Updated by Gerrit Code Review almost 2 years ago

  • Status changed from Resolved to Under Review

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814

#23 Updated by Gerrit Code Review almost 2 years ago

Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814

#24 Updated by Gerrit Code Review almost 2 years ago

Patch set 4 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814

#25 Updated by Markus Klein almost 2 years ago

  • Status changed from Under Review to Resolved

#26 Updated by Sascha Egerer about 1 year ago

  • Related to Bug #86346: Hidden pages sent 403 Header added

#27 Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF